0.8.0 Mysql-Legacy not random...

[freman]

Environment:

• Vault Version: Vault 0.8.0
• Operating System/Architecture: Docker (library/vault:latest)

Startup Log Output:

vault_1   | ==> Vault server configuration:
vault_1   |
vault_1   |                      Cgo: disabled
vault_1   |          Cluster Address: https://0.0.0.0:8201
vault_1   |               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
vault_1   |                Log Level: info
vault_1   |                    Mlock: supported: true, enabled: false
vault_1   |         Redirect Address: http://0.0.0.0:8200
vault_1   |                  Storage: inmem
vault_1   |                  Version: Vault v0.8.0
vault_1   |              Version Sha: af63d879130d2ee292f09257571d371100a513eb
vault_1   |
vault_1   | ==> WARNING: Dev mode is enabled!
vault_1   |
vault_1   | In this mode, Vault is completely in-memory and unsealed.
vault_1   | Vault is configured to only have a single unseal key. The root
vault_1   | token has already been authenticated with the CLI, so you can
vault_1   | immediately begin using the Vault CLI.
vault_1   |
vault_1   | The only step you need to take is to set the following
vault_1   | environment variables:
vault_1   |
vault_1   |     export VAULT_ADDR='http://0.0.0.0:8200'
vault_1   |
vault_1   | The unseal key and root token are reproduced below in case you
vault_1   | want to seal/unseal the Vault or play with authentication.
vault_1   |
vault_1   | Unseal Key: BAmiUA5mSp7u4FSqQbhlTuVWteaVBQQxJDhMlcvqIiQ=
vault_1   | Root Token: 90c23737-e89a-4a82-ba33-d1f005c61c08b
vault_1   |
vault_1   | ==> Vault server started! Log data will stream in below:
vault_1   |
vault_1   | 2017/08/10 02:06:53.117809 [INFO ] core: security barrier not initialized
vault_1   | 2017/08/10 02:06:53.118117 [INFO ] core: security barrier initialized: shares=1 threshold=1
vault_1   | 2017/08/10 02:06:53.118394 [INFO ] core: post-unseal setup starting
vault_1   | 2017/08/10 02:06:53.135223 [INFO ] core: loaded wrapping token key
vault_1   | 2017/08/10 02:06:53.138862 [INFO ] core: successfully mounted backend: type=generic path=secret/
vault_1   | 2017/08/10 02:06:53.138897 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
vault_1   | 2017/08/10 02:06:53.140253 [INFO ] core: successfully mounted backend: type=system path=sys/
vault_1   | 2017/08/10 02:06:53.140509 [INFO ] rollback: starting rollback manager
vault_1   | 2017/08/10 02:06:53.141512 [INFO ] expiration: restoring leases
vault_1   | 2017/08/10 02:06:53.142655 [INFO ] core: post-unseal setup complete
vault_1   | 2017/08/10 02:06:53.143054 [INFO ] core: root token generated
vault_1   | 2017/08/10 02:06:53.143090 [INFO ] core: pre-seal teardown starting
vault_1   | 2017/08/10 02:06:53.143160 [INFO ] core: cluster listeners not running
vault_1   | 2017/08/10 02:06:53.143180 [INFO ] rollback: stopping rollback manager
vault_1   | 2017/08/10 02:06:53.143486 [INFO ] core: pre-seal teardown complete
vault_1   | 2017/08/10 02:06:53.143696 [INFO ] core: vault is unsealed
vault_1   | 2017/08/10 02:06:53.143760 [INFO ] core: post-unseal setup starting
vault_1   | 2017/08/10 02:06:53.143826 [INFO ] core: loaded wrapping token key
vault_1   | 2017/08/10 02:06:53.143983 [INFO ] core: successfully mounted backend: type=generic path=secret/
vault_1   | 2017/08/10 02:06:53.144075 [INFO ] core: successfully mounted backend: type=system path=sys/
vault_1   | 2017/08/10 02:06:53.144091 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
vault_1   | 2017/08/10 02:06:53.144281 [INFO ] rollback: starting rollback manager
vault_1   | 2017/08/10 02:06:53.144663 [INFO ] expiration: restoring leases
vault_1   | 2017/08/10 02:06:53.144905 [INFO ] core: post-unseal setup complete

Expected Behavior:
Username should be unique

shannon@mac ~ $ vault read database/creds/event-event
Key            	Value
---            	-----
lease_id       	database/creds/event-event/6fd72baa-bb1d-79ca-e8b5-aac321284fae
lease_duration 	6h0m0s
lease_renewable	true
password       	a23c2eb3-6489-ddcb-e2e2-fa98871f2d90
username       	v-toke-even-umR8

shannon@mac ~ $ vault read database/creds/event-event
Key            	Value
---            	-----
lease_id       	database/creds/event-event/aac4464d-d19b-44a0-90c9-7873c9c2c634
lease_duration 	6h0m0s
lease_renewable	true
password       	ec4a5596-4c7b-4856-c96a-a3f4a6fa2d6b
username       	v-toke-even-n39h

Actual Behavior:
Plugin fails to generate unique credentials

shannon@mac ~ $ vault read database/creds/event-event
Key            	Value
---            	-----
lease_id       	database/creds/event-event/af800b43-6ba7-7703-cc6a-b8ee6bbde935
lease_duration 	6h0m0s
lease_renewable	true
password       	A1a-28q5w39u0379zvqw
username       	v-toke-even-A1a-

shannon@mac ~ $ vault read database/creds/event-event
Error reading database/creds/event-event: Error making API request.

URL: GET http://localhost:8200/v1/database/creds/event-event
Code: 500. Errors:

* 1 error occurred:

* Error 1396: Operation CREATE USER failed for 'v-toke-even-A1a-'@'%!'(MISSING)

Steps to Reproduce:

export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=90c23737-e89a-4a82-ba33-d1f005c61c08b
docker run -d --name mysql -p 3306:3306 -e MYSQL_ALLOW_EMPTY_PASSWORD=1 mysql:5.6 
docker run -d --name vault -p 8200:8200 -e VAULT_DEV_ROOT_TOKEN_ID=$VAULT_TOKEN --cap-add IPC_LOCK --link mysql vault:latest server -dev

sleep 30

vault mount database
vault write database/config/event plugin_name=mysql-legacy-database-plugin connection_url="root:@tcp(mysql:3306)/" allowed_roles=event-event
vault write database/roles/event-event db_name=event creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'" default_ttl=6h max_ttl=87600h



vault read database/creds/event-event
sleep 1
vault read database/creds/event-event

[jefferai]

@briankassouf @calvn basically the combination of d68f283 and #2812 end up making user names too long for legacy mysql, which is limited to 16 characters. Probably for legacy mysql we're better off being mostly or purely random (perhaps just a v- in front).

I think legacy mysql (and maybe rds) are the only dbs with such a low length limit although we should check.

[freman]

@jefferai we didn't run into a problem in 0.7.3 (in fact we've rolled back to 0.7.3) although that seems to be pure luck.

Our eventual platform will be Amazon so we can't just upgrade mysql and cross our fingers.

[jefferai]

The username format changed since which caused this. For most purposes the legacy backend can be used instead for the moment with 0.8. I'm not sure when the next release will be but it might be as early as next week. Depending on that timing we also might provide a replacement plugin that is fixed that you can just tell the backend to use instead until the built in version is updated.

[briankassouf]

This should be fixed with #3141, and we are planning a release for later next week that will include this fix. In the meantime we made it easy to build the legacy MySQL plugin as an external plugin and run it instead of the builtin version with this regression. Below I'll outline how to build and run the patched plugin, but wanted to note that if need be the vault team can provide a prebuilt binary, just reach out!

To build and run an external MySQL plugin first the binary will need to be compiled and placed in the configured plugin directory (if you have not configured the plugin directory with vault, please do so now).

As a prerequisite to building the plugin, go must be installed and your $GOPATH must be properly set. Additionally you will have to checkout the vault source code from git. Please see the compiling from source docs for more information on how to setup go and checkout vault's source. Also as a note, these commands work on macOS, on linux or windows the commands might need to be changed a bit.

Once the environment is setup we can build the plugin:

plugin_dir=<replace with configured plugin directory>
make mysql-legacy-database-plugin
cp bin/mysql-legacy-database-plugin $plugin_dir
sha256=$(shasum -a 256 $plugin_dir/mysql-legacy-database-plugin | awk '{print $1}')

We now have a compiled binary in our plugin directory and it's SHA256 sum stored in an env variable. Next we will need to add the plugin to the plugin catalog. Writing to the plugin catalog requires a vault token with sudo permissions:

vault write sys/plugins/catalog/mysql-legacy-database-plugin \
    sha_256=$sha256 \
    command=mysql-legacy-database-plugin

We can verify the plugin is in the catalog and the builtin flag is set to false:

$ vault read sys/plugins/catalog/mysql-legacy-database-plugin
Key    	Value
---    	-----
args   	[]
builtin	false
command	/Users/brian/vault-plugins/mysql-legacy-database-plugin
name   	mysql-legacy-database-plugin
sha256 	5ZSvWao9ZXxrwKett85hhKOxK2s3RlzbiZKvOSGHeAE=

Now that we have the plugin in the catalog we just need to reset the existing mysql connection and upon reset it will load the new external plugin. In the below command be sure to replace the path to the database connection with your mount location and connection name:

vault write -f /database/reset/mysql

That should restart the connection and load the new external plugin that was just registered to the plugin catalog.

To undo this change (when the next vault release comes out) simply delete the entry from the plugin catalog and reset the plugin again:

vault delete sys/plugins/catalog/mysql-legacy-database-plugin
vault write -f /database/reset/mysql

And we can verify the plugin now has the builtin flag equal to true:

$ vault read sys/plugins/catalog/mysql-legacy-database-plugin
Key    	Value
---    	-----
args   	<nil>
builtin	true
command
name   	mysql-legacy-database-plugin
sha256 	<nil>

[freman]

this is awesome news

[jefferai]

Closing as this fix will be in the next version which will be out soon.